Install IIS in Win2K and configure asp + cgi + php + mysql to install win2K. install IIS, including Indexing Service, FrontPage 2000 Server Extensions, and Internet Service Manager (HTML, there are other things. do not install them unless necessary. (According to the security principle, minimum service + minimum permissions = maximum security .)
First, open internet Manager (start --> program --> Management --> Internet service management, there is a default site and an smtp service item to select the default site, delete all the directories under it. (Press the delete key on your keyboard) to stop iis. The simplest method is to start --> run --> enter net stop iisadmin and press Y to press enter (the start command is net start w3svc) delete the Inetpub directory of drive C completely (disable iis before deletion ), create a directory on another disk. in IIS Manager, direct the home directory of the default site to the directory you just created. if you need a directory with any permissions, you can create it on your own.
(Pay special attention to write and execute permissions. there is no absolute need to do not give them. By default, they are not given, so you do not need to study them ..)
Application Configuration: delete any unnecessary mappings that are required in the IIS Manager, leaving ASP, ASA and other file types that you actually need (except cgi, php, other things I think are useless. delete htw, htr, idq, ida ......) Do you know where to delete it ?? Method: choose Internet service management> Site> Properties> WWW service> Edit> Home Directory> configuration> application ING, then let's start deleting them one by one (not all selected, which is really troublesome ). Then, change the script error message to send text in the application debugging bookmarks in the window (unless you want to know your program/network/database structure when ASP errors occur) what are error texts written? If you like it, do it yourself. When you click OK to exit, do not forget to let the virtual directory inherit the attributes you set.
To deal with the increasing number of cgi vulnerability scanners, you can also refer to the following tips: redirect the HTTP404 Object Not Found error page in IIS to a custom HTM file through URL, this vulnerability can cause most CGI vulnerability scanners to malfunction. In the ghost file, all scans will return HTTP200 regardless of whether the vulnerability exists. 90% of CGI scanners will think that you have all the vulnerabilities, but the results will cover up your real vulnerabilities, it makes intruders confused, but from a personal point of view, I still think that it is more important to do a solid security setting than such tips.
Win2000 account security is another focus. First, the default installation of Win2000 allows any user to obtain a list of all accounts/shares of the system through empty users. this is intended to facilitate LAN users to share files, however, a remote user can also obtain your user list and use the brute force to crack the user password. Many of you know that you can disable null connection 139 by changing the registry Local_Machine/System/CurrentControlSet/Control/LSA-RestrictAnonymous = 1, in fact, win2000's local security policy (if the domain server is in the domain server security and domain security policy) has this option RestrictAnonymous (additional restrictions on anonymous connections ), this option has three values:
0: None. Rely on default permissions (None, depending on the default permission)
1: Do not allow enumeration of SAM accounts and shares (enumeration of SAM accounts and sharing is not allowed)
2: No access without explicit anonymous permissions (access is not allowed without explicit anonymous permissions)
The value 0 is the default value and has no restrictions. remote users can know all the accounts, group information, shared directories, and network transmission lists (NetServerTransportEnum) on your machine, this setting is very dangerous for servers.
1. this value only allows non-NULL users to access SAM account information and share information.
2. this value is only supported in win2000. it should be noted that if you use this value, your sharing estimation will all be finished, therefore, it is recommended that you set it to 1.
Now, intruders cannot get our user list. our account is secure ...... Slow down. at least one account can run the password, which is the built-in administrator in the system. what should I do? In computer management> user account, right-click administrator and rename it. just remember what you want. After changing the hypervisor user name, you can still see it on the logon interface of the Terminal Service (remember it after you log on). modify the method to run regedit, find the Don't Display Last User Name string in the HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/winlogon item to 1, so that the system will not automatically Display the Last User Name.
To ensure security, you can also enable TCP/IP filtering, right-click Network neighbor on the desktop-> Properties-> right-click the network adapter you want to configure-> Properties-> TCP/IP-> Advanced-> Options-> TCP/IP filtering, there are three filters: TCP port, UDP port, and ip tcp port. click "only allow" and add the port you want to open below, generally, the WEB server only needs to enable 80 (www), the FTP server requires 20 (FTP Data), 21 (FTP Control), 3306 (Mysql), and 3389 (Remote Terminal Control, if your host is hosted in another machine room and cannot be directly used *, you need this.) the mail server may need to open 25 (SMTP), 110 (POP3), and I have not studied the port, however, if you use the services provided in this article, you only need to activate the above services. (, 3306)
-- Cgi support
Download activeperl (you can download the latest version from www.perl.com)
1. run install.exe. it is installed in C:/PERL by default. for convenience, install install.exe in the C:/USR directory, (in this way, the path for writing the Perl interpreter can be directly used #! /Usr/bin/perl: the path of the standalone environment and the network environment can be consistent. During installation, press Y .)
2. after installation, follow the three steps below to modify the registry: run RegEdit and search for: HKEY_LOCAL_MACHINE/System/Currentcontrlset/Services/W3svc/Parameters/scriptMap/key name,
Then add the key name :". cgi ", key value:" C:/USR/BIN/perl.exe % s "and key name :". pl ", key value:" C:/USR/BIN/perl.exe % s"
(Do not know how to build? Then, in the box on the right ---> right-click ---> New --> Change the string value name to. cgi. double-click the key to enter the value data, that is, the key value mentioned above)
To allow this host to support php, add the support for php and php3 here by the way (it will be easier to create new sites in the future)
Add the key name ". php" and the key value: "C:/php/php.exe % s"
Add the key name ". php3" and the key value: "C:/php/php.exe % s"
OK. it takes effect immediately after restart! Cgi support! After a new site is created, php and cgi support will be added by default in the application configuration (if you do not grant this permission, delete it ).
Cgi support!
-- Mysql support
Download mysql (you can download the latest version from www.mysql.com)
1. decompress and run setup.exe for full installation. the default installation path is c:/mysql;
2. after the installation is complete, open "run" in the "start" button, enter the command: C:/mysql/bin/mysqld-nt.exe -- install, and execute;
3. start --> program --> management tool --> service --> find mysql --> start it;
4. mysql installation is complete. restart win2000.
5. enable C:/mysql/bin/winmysqladmin.exe after restart. when you use it for the first time, you need to set the administrator name and password, respectively set the user name and password, A small "traffic light" icon will appear on the system tray (it will be automatically loaded when the system starts later ).
6. OK, mysql support!
-- Php support
Download PHP (you can download the latest version from www.php.com)
1. decompress php 4.0.4 to c:/php;
2. set PHP in the php directory. copy the ini-dist file to the WinNT directory and change it to php. ini; (this is the php configuration file and can be run without any changes. I did not study it carefully)
3. modify php as needed. ini file content. to use the session function, create the c:/tmp directory and. session in ini document. the value of save_path is set to absolute path: c:/tmp;
4. copy the Php4ts. dll file in the PHP directory to the WinNt/System32 directory;
5. start "Internet service manager" (IIS) in the management tools on the control panel );
6. open the site attribute. in the 'isapi filter' option, add a new filter, use 'php' as the filter name, and fill in php4isapi in the executable file column. dll and its path (c:/php/sapi/php4isapi. dll ).
7. in the "document" option of the attribute, "enable default document" and add "index. php ";